We've got a potential problem of cache invalidation for API calls around modifying permissions of user groups.
We have to check and verify we fetch all users from user groups and invalidate they permission caches.